I'm having trouble getting CSP enabled for a client with a winding route through multiple domains.
From the client's browser, absolutely everything is presented as coming from domain_A - the application itself (app.domain_A.com) and the image rendering stack that is giving me CSP trouble (render.domain_A.com). The sticking point seems to be that both the app and image rendering stack are actually in a different domain (domain_B), and NAT'd to appear to the client as if they exist in domain_A.
I've another, almost identical client without the NAT shenanigans, and the following CSP directive works as expected (connect-src is the headache, rest of the policies are excluded):
CSP Header: Content-Security-Policy=...;connect-src 'self' domain_A;
My understanding of CSP is that the browser enforces the policies delivered by the app server, so domain_B should not have any impact here, as the client browser doesn't know domain_B even exists. When the client browser requests to view an image, the backend does the heavy lifting and replies with a URL, NAT accounted for, granting access to the rendered image (ex: app.domain_A.com/view-an-image -> render.domain_A.com/rendered-image-guid). But CSP blocks it with the message: ...violates the following CSP directive: connect-src 'self' domain_A;
I tried various combinations of wildcards, and even tried including domain_B, with no luck. Only connect-src 'self' *; did the trick, but this effectively disabled CSP and should be avoided if possible.
Any tips or tricks experts?
Thanks!
